From f3ea2e613ec86d5a6cdb8171896bd2230f9e386e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?= Date: Fri, 2 Aug 2024 10:01:23 +0200 Subject: [PATCH] Fix SSL error queue cleanup for backend conns The SSL error queue wasn't cleanup after an SSL related error took place in a backend connection. This would result in the propagation of the error to other conns handled by the thread, which could result in: - Incorrect destruction of connections in conn-pool. - Invalid error propagation to clients. This is a consequence of 'libmariadbclient' not performing a cleanup of this queue by itself. The situation got mitigated since the library **does** perform a cleanup of such queue during connect phase ('auth_caching_sha2_client|auth_sha256_client'), and ProxySQL does a cleanup of this queue during frontend SSL traffic. --- lib/MySQL_HostGroups_Manager.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/MySQL_HostGroups_Manager.cpp b/lib/MySQL_HostGroups_Manager.cpp index 37c075c6b..5bf4f80c5 100644 --- a/lib/MySQL_HostGroups_Manager.cpp +++ b/lib/MySQL_HostGroups_Manager.cpp @@ -2536,6 +2536,15 @@ MySQL_Connection * MySQL_HostGroups_Manager::get_MyConn_from_pool(unsigned int _ } void MySQL_HostGroups_Manager::destroy_MyConn_from_pool(MySQL_Connection *c, bool _lock) { + // 'libmariadbclient' only performs a cleanup of SSL error queue during connect when making use of + // 'auth_caching_sha2_client|auth_sha256_client' during connect. If any SSL errors took place during the + // previous operation, we must cleanup the queue to avoid polluting other backend conns. + int myerr=mysql_errno(c->mysql); + if (myerr >= 2000 && myerr < 3000 && c->mysql->options.use_ssl) { + proxy_debug(PROXY_DEBUG_MYSQL_CONNPOOL, 5, "Client error %d detected on SSL connection, cleaning SSL error queue\n", myerr); + ERR_clear_error(); + } + bool to_del=true; // the default, legacy behavior MySrvC *mysrvc=(MySrvC *)c->parent; if (mysrvc->get_status() == MYSQL_SERVER_STATUS_ONLINE && c->send_quit && queue.size() < __sync_fetch_and_add(&GloMTH->variables.connpoll_reset_queue_length, 0)) {